FreeIPA-users April 2026

freeipa-users@lists.fedorahosted.org

2 participants
2 discussions

LDAP searches failing, preventing updating SSL Certificate
by Chris Candreva 18 Apr '26

18 Apr '26

I'm trying to help out with an IPA setup, and I'm sure if or how two problems are related. The first thing they noticed was that no users or domains show up in the web list, but you can go directly to one if you know the name. Then other services that authenticate via LDAP started complaining that the SSL certificate was expired. Evidently when they updated, the certificate for the web site updated, but not LDAP. In order for ipa-certupdate to run at all, I set httpd on all three replicas to the prvious certificate (expired in Feb), and set the clock to a date in January where both certificates were valid. ipa-certupdate procedes, until it hits an error that it can't find any servers with the 'CA server' role. Checking 'ipa server-show' for each IPA server shows the 'CA server' role, but searching by roles yields no results. At this point I'm stuck, my searching has been fruitless, and I could use some help . Thank you in advance ! [root@ipa alias]# ipa server-show ipa.westnet.com|grep roles Enabled server roles: CA server, DNS server, IPA master [root@ipa alias]# ipa server-show ipa2.westnet.com|grep roles Enabled server roles: CA server, DNS server, IPA master [root@ipa alias]# ipa server-show ipa3.westnet.com|grep roles Enabled server roles: CA server, DNS server, IPA master [root@ipa alias]# ipa server-find --servrole "CA server" ipa: ERROR: no matching entry found [root@ipa alias]# ipa server-find --servrole "DNS server" ipa: ERROR: no matching entry found [root@ipa alias]# ipa server-find --servrole "IPA server" --------------------- 0 IPA servers matched --------------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@ipa alias]# ipa server-find --servrole "IPA master" ipa: ERROR: no matching entry found [root@ipa alias]# ipa server-find --servrole "Jedi Knight" --------------------- 0 IPA servers matched --------------------- ---------------------------- Number of entries returned 0 ---------------------------- -- --- ======================================================================== Chris Candreva -- chris(a)westnet.com -- http://www.westnet.com/~chris

1 0

Webservices failing when run behind Caddy v2.11 Reverse Proxy
by Daniel Paetzold 08 Apr '26

08 Apr '26

When Caddy v2.10.X is a reverse Proxy for FreeIPA, then after upgrade to V2.11.? the Webservices will stop working, leading to inifite Redirect 301/307 loops when connecting to https://.../ipa/ui That will cause Browsers to complain about e.g. "Error_Too_Many_Redirects" without any other output. Other Services like IPA- Vaults won't work any more. The Error seems to be in the Apache rewrite- rule as all connections to "https://.../ipa/ui" will get redirected to non-ssl "http://.../ipa/ui" via 301 which again will be redirected to "https://.../ipa/ui" via 307, which is a loop. According to https://github.com/alexandzors/caddy/releases The Problem may be related to: "Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454)" Deactivating Freeipas Apache rewrite Rules for Port 443 as described at https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy does not solve the Problem. Has anyone already had that Problem and an idea how it could be fixed to make the rules work with caddys new behaviour?

1 1

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2026